Howdy,
In the course of running some tests I ran into some behavior that I wasn't
expecting, before I get to concerned about the problem I thought I would post
something here to get the group's take on it ...
The problem is that when I have system A sending UDP traffic to system B using
labeled IPsec if it does not find an existing SA with a matching SELinux
context it sends the packet without IPsec applied - even if there is an entry
in the SPD which requires IPsec be applied to the traffic. I have not tested
this yet with the lspp.71 kernel, but I see the problem on the lspp.70 kernel
and I don't see anything in the changelog which would make me think this has
been fixed. Please correct me if I'm wrong.
To give a more concrete example, I am using a SPD entry similar to the
following:
spdadd 10.0.0.2 10.0.0.3[5300] udp
-ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
-P out ipsec ah/transport//require;
Which should require traffic going from 10.0.0.2 to 10.0.0.3 over UDP port
5300 to have an AH transfrom applied using labeled IPsec. If the process on
10.0.0.2 is running in a domain with a MLS sensitivity label of "s0" then
everything works as expected. If the process is running in a domain with a
MLS sensitivity label of "s15:c0.c239" (or anything other than "s0" really)
the traffic is sent out on the wire without any IPsec applied at all.
I haven't filed a bug on this yet, I wanted to post this to the list first to
make sure I'm not doing something incredible bone headed ... although the
more I think about this the more I think we have a rather serious bug on our
hands. Can anyone prove me wrong? Please?
--
paul moore
linux security @ hp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
